Posted
by
ScuttleMonkey
on Tuesday June 06, 2006 @01:02AM
from the things-to-do-when-you're-bored dept.

Random Hall writes "Dr. Kent Boklan, a former NSA employee and current Director of Security Research for Razorpoint Security Technologies, has described how he recently deciphered a message encrypted by Confederate Army General Edmund Kirby Smith on 14 September 1862."

These guys made every mistake in the book. Putting obvious known words in your plaintext "Louisville", "Covington", "enemy" is asking for trouble. There should be a speech code inside the plaintext, one that can be changed from time to time. Use numbers for your places and throw the plan away at the end of the operation.

Given that there was some really good maths being done 137 years ago the crypto these people used is surprisingly poor.

That's also why security through obscurity [wikipedia.org] is bad. If your crypto algorithm is secret (as in a "secret machine" like Enigma, or as in "our brand new military-grade Bull-Shit-Algo(tm) is trade secret"), it becomes part of the key and has to be protected as well (as by Kerckhoffs' law [wikipedia.org]).

That's where Enigma failed : it's internal functions were part of the secret. Once captured it could be reverse engeneered (and flaws in it discovered).Compare to another technology based encoding : PGP, GPG, etc... they all operate on a known basis. If source code is found (which can easily be done in case of open-source implementations) security is not compromised, as the crypting doesn't rely on the algorithm being kept secret. Only the private key can compromise the crypting and has to be kept secret.

The lesser the secret, the easier it is to keep secret or to update in case of leak. (Compare : having to update all Enigma decoders vs. only changing keys used in PGP)

Usage of technology in encoding isn't that bad, as long as Kerckhoffs' law is respected.

On the other hand : high-enough troop members aren't that much reliable to keep information un-devulged, mostly because they aren't computationnaly as efficient as modern hardware. Anything that must be decipherable "mentally" by the troop must be easy enough to be done in his head. And therefor is more susceptible to dictionnary- / statistial- / brute-force attacks using powerful hardware.So you don't even need to capture a troop member. You only need a computer that's much more powerful than the average troop's brain. And knowing how dumb military can get...